Download Links

Despite this blog was more than 5 years old (started in 2010 to 2011), Many of the people are still trying to access the materials. I have tried to move whatever materials that I had into the google drive and shared to public.

https://drive.google.com/open?id=0Bwu-47E4m_cHYnVYcGozZ3FJUEE

Just to remind you that these materials are used in 2008 and most likely they are outdated. This is all the materials that I have. Good luck and have fun in UOW.

Lessons Learnt fom Sony Flaw

As you all might notice, earlier 2011, Sony is again in the highlight of news for getting attack from various hackers, exploiting their PlayStation network (PSN) which has roughly 55 millions of users and the music streaming network, QrioCity.

During the attack, Sony PlayStation network has been shutdown, following the forensic security testing. It could be one of the largest case of data theft about 77 millions users. The details of how the attack has been occurred has not yet been published.

However, in Dec 2010, during the Hackers Chaos Communications Conference, the hacking team known as "FailOverflow" has revealed in their presentation that they are now able to decipher the private key used in Play Station 3. Having the private key will allow the users to run any application on the device just like the Sony manufacturer. Sony responded by suing the FailOverflow group, the firmware creator "GeoHot" and others for revealing the root key details and cracks for PS3. Another hacker known as Mathieu Hervais has also discovered the walkaround to the PS3 Firmware 3.56 and announced it in his twitter account. However, he was afraid of Sony legal team, therefore chose not to release the information.

I truly convinced that there is no such thing called "absolute security". Any network that are exposed to public are vulnerable to attack given the skills, resources and time. While feeling sorry for Sony, I am also disappointed that Sony has overlooked the basic security requirement of data.

For instance, Lutz security said that the data stolen from Sony are completed unencrypted. Although I do not know if this information is true, I would think that all the companies and websites that keep the user login, password and important information such as credit cards details must be stored in encrypted format. I realized some programmers simply store the information on their database in plaintext!!!

And the latest series of attacks are in SQL injection according to the AppleRiver. And if these claims were true, I simply think this is a total negligence of Sony for allowing such kind of attacks. This SQL injection should simply not happen.

From this episode, we must be aware that no network is totally secured. All the companies and websites must be proactive in securing their information. By losing to attackers out there, it is not only the unexpected shutdown and expensive forensic analysis but also lose the confidence of customers. While using legal team to contain the damage, you should not forget about the prevention if your business has the nature of online activities.

As for the users, it is very important that your information has been stolen. If your credit cards details are leaked, your card might be misused by someone out there. Most users has the habit of keeping the username and password similar across all kinds of websites, it is likely that once your email password are exposed, your social account such as fackbook and twitter might be stolen too. If you are the one of the stolen customers, you may check with your credit card company on how to control the damage if your card were stolen.

With this unpleasant occasion, Is it a time for the data security to pass to the central authority instead of allowing any individual to keep your valuable information? After all, it is about trust between the service providers and the people.

CSCI 368 Q & A

I have received similar questions from several people who wrote to me to my personal mail. Initially, I try to reply to the sender directly, but i think it is better to build a list here in the blog so that the other people can join in to discuss and record our history. Below are my own thinking and if you have better answer, I sincerely request you to feedback to us.

Q1. Write a protocol, based on Needham-Schroeder, to establish a shared key between three parties, Alice, Bob and Carol using a KDC. Each party trusts the KDC and, at the end of the protocol, should have a common key and be confident that the other two parties also have it.

Ans: Needham-Schroeder Protocol is the basis form of Kerberos protocol. In this protocol, there is a trusted server by all the users known as KDC (Key Distribution Center). When the user want to communicate to other users, the user will request to KDC to generate a shared session key which the user and his intended counterpart can decrypt. It is the authentication between 2 parties. For 3 parties (A,B,C), the keys required will be more than one key with KeyAB, KeyAC and KeyBC (3 keys).

In case, you would like to have just one common key between 3 parties, then the protocol will be a little different. Basically, you will start with the keys shared between KDC and Alice, between KDC and Bob as well as between KDC and Carol. The trick to have the common key and to be confident that the other two parties also have it is to explicitly state the identities of other two parties.


Q2. Write a symmetric{key inter{domain end{to{end authentication protocol. The environment includes two mobile service domains, each with an authentication server. We use AS1 and AS2 to denote the domains and the associated authentication servers. We restrict our attention to two users, Carol and Doug. Carol is registered with AS1 while Doug is registered with AS2. You are to design a protocol for the case where Carol has moved to AS2 and Doug has moved to AS1.

Registration in this symmetric key domain means the two parties have established a shared key which can be used as a basis for authentication. The two authentication servers, AS1 and AS2, share a symmetric key.

In this protocol, we have to assume that AS1 & C are in different inter-domain from AS2 & D. AS1 and AS2 are communicating with shared key between them. In order to register C to AS2, we will have the following steps.

1. C has to request to AS1 that he wanted to communicated with AS2.
2. AS1 will inform AS2 about C's request.
3. AS2 will reply to AS1 with the Key between C and AS2.
4. AS1 will send the key to C and AS2.
Now, there is key shared between C and AS2. Similarly, for D to register with AS1, it will follow the same steps. If you like to provide data freshness, you will need to add the nonces. If you want to provide integrity, you need to hash the key. For confidentiality, you got to ensure that key can be only decrypted by sender and intended receiver. For anonymity, you might want to consider the subliminal identity or nickname for C and D.

Test Driven Development (TDD)

I was recently told about the unit testing in Test Driven Development (TDD) environment. It is not new, but it seems that the practice of TDD is very rare in the development area and very poor documentation or less documents available for the CppUnit testing. I received many emails from people asking what exactly the TDD is and it seems like many people do not understand the usefulness of the TDD. Therefore, I decided to put this article up on the blog.


What is Test-Driven Development?

Since the computers were invented, the programmers faced the software bugs while implementing for new programs. Some will even claim that there is no software that is free from software bugs. It might be possible since our human are imperfect. This phenomenon will be lasting forever as long as systems are getting complex. If you have written any program in any programming languages, I believe you have faced the problem of software bugs that made you scratched your head and hated so much about programming. This is the main motivation of Test-Driven Development (TDD). The word "TESTING" become a part of software development life cycle (SDLC). Testing will enable you to ensure whether your program is working correctly.

Most of the time, we wrote a program from beginning to end. When the program codes are completed, then we try to compile and run the program and check if the program has any errors or bugs. This way is efficient if your program is like printing a "hello world" message. But what if your program is about implementing some complex systems. In this case, we wrote the program by a numbers of functions or modules. In Unit Testing, you will do the testing on function by function or module by module. Basically, You will ensure the correctness of the function before you will continue with next function.


Advantages of Test-Driven Development

Have you encountered case like that? You wrote the program and run it successfully on your computer. But when it deployed at the customer site, your customers are mad and complained that your program have lots of bugs. That is really bad - if you found the problem at final stage of development, you have to spent lot of times to analyze the program from line 1. If you found the problem at customer, then you will lose the business and that is the worst. Why is this thing happened? One of the possibilities is that you missed/skipped some test cases. Another possibilities is you have little time and you do not have enough time for testing. Another fact that I won't deny is that some programmers are lazy to do the testings including myself. Bugs multiply as you wrote the programs. If you have found the bug and solved it in early stage will not only save you more time but also make your customer happier. It is like construction of building. You got to lay strong foundation of building before you step up another level of building. Otherwise, your building will be either swaying to one side or worst collapsed when it's completed.


Test Twice, Write Once

Now you know about Test-Driven Development and its advantages over the conventional programming style. But how? It requires you to do more testings than your coding. Basically, it will change your concept of writing programming. I will give you an example of a function called "addition(a, b)" that will add the input 'a' and 'b' regardless of data types (int or float).


Step 1: Instead of writing your program codes, you will write testing codes with possible inputs. In this case, the possible inputs can be both 'a' and 'b' are integers, floats, or double. Remember that your addition function is still empty with no codes yet.

In your main program:	In your testing program:
addition(a,b){ return a+b; }	testAddition(a,b){ CPP_ASSERT(addition(1,2)==3); //integer CPP_ASSERT(addition(1.0,2.0)==3.0); //float . . . }

With this sample above, when you run your testing program, the return is FALSE since the main program function is empty with no coding.


Step 2: You will now write your code in your main program for addition function.


Step 3: You will run the testing program again. If your main program is correctly written for addition function, the testing program will return TRUE. If you are still getting the result of FALSE, which mean your main program has not correctly written the function for addition and you will modify the function until you can receive the result TRUE in your test program.

In this way, you perform the test twice, and code it once. You will ensure the function of addition before you will continue with other functions such as multiplication(a,b) or division(a,b). This is how the TDD is supposed to be developed.